US20080316357A1 - Secure display method and device - Google Patents

Secure display method and device Download PDF

Info

Publication number
US20080316357A1
US20080316357A1 US12/059,412 US5941208A US2008316357A1 US 20080316357 A1 US20080316357 A1 US 20080316357A1 US 5941208 A US5941208 A US 5941208A US 2008316357 A1 US2008316357 A1 US 2008316357A1
Authority
US
United States
Prior art keywords
screen
operating system
information
display
zone
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US12/059,412
Other versions
US8122496B2 (en
Inventor
Karim Achari
Ronan Loheac
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Banks and Acquirers International Holding SAS
Original Assignee
Compagnie Industrielle et Financiere dIngenierie Ingenico SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Compagnie Industrielle et Financiere dIngenierie Ingenico SA filed Critical Compagnie Industrielle et Financiere dIngenierie Ingenico SA
Assigned to COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE "INGENICO" reassignment COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE "INGENICO" ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LOHEAC, ROHAN, ACHARI, KARIM
Publication of US20080316357A1 publication Critical patent/US20080316357A1/en
Assigned to COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE "INGENICO" reassignment COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE "INGENICO" CORRECTIVE ASSIGNMENT TO CORRECT THE TYPOS IN THE SECOND INVENTOR'S NAME AND ADDRESS OF ASSIGNEE PREVIOUSLY RECORDED ON REEL 021128 FRAME 0212. ASSIGNOR(S) HEREBY CONFIRMS THE SECOND LISTED INVENTOR'S NAME, AND THE ADDRESS OF THE ASSIGNEE BOTH INCULDE TYPOS TO BE FIXED/UPDATED.. Assignors: LOHEAC, RONAN, ACHARI, KARIM
Application granted granted Critical
Publication of US8122496B2 publication Critical patent/US8122496B2/en
Assigned to INGENICO GROUP reassignment INGENICO GROUP CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE "INGENICO"
Assigned to BANKS AND ACQUIRERS INTERNATIONAL HOLDING reassignment BANKS AND ACQUIRERS INTERNATIONAL HOLDING ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INGENICO GROUP
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/84Protecting input, output or interconnection devices output devices, e.g. displays or monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Definitions

  • the present disclosure concerns the equipment used for performing actions that involve or relate to objects of a confidential nature.
  • payment actions that involve a bank account number or that relate to the entry of a confidential code or to an amount to be debited or credited can be cited.
  • Other actions can be cited such as for example actions, of a medical or civil nature, that relate to biological or patrimonial data particular to an individual.
  • the natural tendency is preferably to trust equipment particularly armoured against various intrusions or attacks. This can be achieved at various levels. At the level of the physical constitution of the equipment, this can be in a tamper-proof box, resistant to intrusion (tamper resistant), or leaving a visible trace of any attempt at sabotage (tamper evidence), or affording a response adapted to a detection of intrusion (tamper responsive).
  • the sensitive data are generally enciphered and their processing is subject to cryptographic protocols.
  • a correct degree of security is obtained by using solely electronic circuits etched in the mass. A minimum of precautions is to be taken if it is wished to improve the flexibility of use of the equipment. It is normally preferred to use software components able to be used by means of secure operating systems inaccessible to third parties.
  • an open operating system is generally accompanied by that of a graphical screen for displaying various items of information.
  • a screen offers a possibility of particularly expressive display of the mode, secure or otherwise, in which the equipment is situated.
  • an indicator light would have the drawback of having to educate the user on the attention to be paid to this indicator light and on the interpretation to give to it in order to distinguish open mode from secure mode. It may also be thought of displaying a pictogram, associated or not with a text in the language of the user.
  • a type of display poses a problem of compatibility, in terms of security, with an opening offered to any application.
  • a malevolent application could corrupt the display so as to deceive the user by displaying a secure mode in which the terminal is not situated.
  • An absence of certainty about the mode in which the terminal is situated presents a considerable drawback.
  • An aspect of the present disclosure relates to a method of secure display on a screen designed to display a first set of information edited by a first operating system.
  • This method comprises a filtering step in which an element allocates, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to a second set of information edited by a second operating system.
  • the filtering step is combined with a real display step in which the two sets of information are transferred to the screen under the exclusive control of the second operating system so as to produce a secure display of the second set of information.
  • the method comprises one or more of the following characteristics:
  • the first operating system is an open operating system and the second operating system is a secure operating system.
  • the first set of information is written in a virtual video memory under the control of the first operating system and the content of which is accessible to the second operating system.
  • the first step of information is written in a real video memory under the control of the first operating system so as to be able to combine the first video signals that result therefrom with second video signals that result from the second set of information under the control of the second operating system.
  • the secure operating system is hosted in a hardware component that isolates the open operating system in terms of direct access to the screen.
  • the second zone is situated on the screen at a first position easily identifiable by a user.
  • the first position is alternately permuted with a second position previously covered by the first zone.
  • the second zone is superimposed with or without transparency on the first zone at one or more positions on the screen.
  • At least one of said positions is moving on the screen.
  • a device for secure display on a screen designed to display a first set of information edited by a first operating system comprises a filter arranged to allocate, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to the second set of information edited by a second operating system and for transferring the two sets of information to the screen under the sole control of the second operating system so as to produce a secure display of the second set of information.
  • the first operating system of the device is open and the second operating system of the device is secure.
  • the filter comprises at the input a virtual video memory arranged to receive the first set of information under the control of the first open operating system and at the output a real video memory for combining the two sets of information.
  • the filter is arranged to receive first video data generated by a standard processor and second video data generated by a secure processor, and to transfer into a video memory a combination of the first and second video data.
  • the filter is arranged to receive first video signals coming from a first video controller and second video signals coming from a second video controller, and to transfer onto the screen a combination of the first and second video signals.
  • the filter is arranged to place the second zone on the screen at a first position easily identifiable by a user.
  • the filter is arranged to permute said first position alternately with a second position previously covered by the first zone.
  • the filter is arranged to superimpose with or without transparency the second zone on the first zone at one or more positions on the screen.
  • the filter is arranged to make at least one of said positions move on the screen.
  • FIG. 1 depicts schematically an example of a terminal in which it is useful to implement an embodiment of the invention.
  • FIG. 2 depicts steps of the method according to an embodiment of the invention.
  • FIG. 3 depicts a first diagram of a device according to an embodiment of the invention.
  • FIG. 4 depicts a second diagram of a device according to an embodiment of the invention.
  • FIG. 5 depicts a third diagram of a device according to an embodiment of the invention.
  • a filter arranged to allocate, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to a second set of information edited by a second operating system and to transfer the two sets of information to the screen under the sole control of the second operating system so as to produce a secure display of the second set of information.
  • a payment terminal 1 comprises a keyboard 2 , a screen 3 , a communication coupler 4 and a chip card, magnetic card or contactless card reader 5 .
  • a payment terminal also comprises other elements not shown here such as for example a printer.
  • the screen 3 is advantageously equipped with a touch pad that makes it possible to perform numeric key functions similar to those of a keypad by pressing on a point on the screen marked by a particular image.
  • a user introduces his chip card into the reader 5 through a slot, looks at a transaction amount displayed on the screen 3 and, if he is in agreement with paying this amount, enters his PIN code by entering the figures on the keys on the keypad and validating this code by means of a key provided for this purpose.
  • the terminal checks the validity of the code by dialoguing with the chip and debits the account of the user by dialoguing in addition with a remote server, not shown, by means of the communication coupler 4 .
  • the communication coupler 4 is of a cabled nature such as is sometimes encountered at the tills in large stores or of a wireless nature by means of example of electromagnetic waves.
  • an embodiment of the invention is advantageous for warding against malevolent applications that might send a confidential code of the user, for example by text message (SMS).
  • SMS text message
  • the term “open” is to be taken in its widest sense commonly adopted in the user world. In other words, the term of course designates truly open operating systems such as the original UNIX and LINUX systems. Here the term “open” also designates systems that are widely available commercially such as for example different versions of Microsoft WindowsTM. Although the source programs of the core and many primitives of such operating systems remain under the control of the proprietor, common sense attributes the term “open” to them since sufficient accesses to the operating system are widely disseminated. This wide dissemination makes it possible to develop many applications and many hardware platforms that appreciably enhance the availability of product materials and that in some way establish a wide collectivity of users and develop developers who share common environments.
  • the equipment goes into secure mode, which it displays on a banner or pictogram.
  • the function of the banner or pictogram is to indicate the mode, secure or non-secure, in which the terminal is situated.
  • the banner is for example displayed at the bottom of the screen 3 , which constitutes a position easily identifiable by the user.
  • Other easily identifiable positions exist, for example at the top, at the right, or the left or moving from top to bottom of the screen 3 .
  • Types of sensitive data in the case of a payment terminal include of course the account data and the bankcard code. It is possible also to think of other types of data such as non-limitatively medical, biometric or social data.
  • a filtering step will be noted in which an element allocates, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to a second set of information edited by a second operating system.
  • the filtering step is combined with a real display step in which the two sets of information are transferred to the screen under the sole control of the second operating system so as to produce a secure display of the second set of information.
  • the second operating system can be an obstacle to corruption of the display of the second set of information by an application executed in the environment of the first operating system.
  • a screen is used such as the screen 3 normally provided for displaying a set of information edited by an open operating system.
  • This information results from applications that are installed to use the resources of the operating system where, as seen previously, the term “open” relates essentially to the fact that sufficient components are disseminated to make it possible to develop a wide range of applications which, often in the absence of evaluation from the point of view of security, offer no guarantee with regard to the use that they make of resources of the system.
  • One advantage however is that the display of the information benefits from graphics familiar to the user and allows many interventions by the user by means of the keyboard 2 or touch characteristics of the screen itself.
  • the open operating system is listening out permanently for various interruptions or interactions of software or hardware origin.
  • the interactions of hardware origin are those that concern peripherals, in the wide sense, catalogued by a program normally triggered when the operating system is launched and called BIOS, the acronym for “basic input output system” in order to express “basic input output system”.
  • Step 12 is generally executed by a display driver installed with the OOS.
  • the display driver transcribes the information received in a video memory periodically scanned by a screen control circuit.
  • the display driver of the OOS is configured to transcribe the information received in a virtual video memory.
  • the virtual video memory is for example simply a reserved zone of the memory controlled by the OOS towards which the display driver of the OOS parameterized for this purpose reroutes the data to be displayed. So as to be able to execute the filtering step, the content of the virtual memory is made accessible at least in read mode to the secure operating system.
  • step 12 the display under the control of the OOS is then virtual in nature.
  • the display driver in order to transcribe the information received in a real video memory connected to a video controller.
  • the video controller is connected to a component for processing the information so that, in step 12 , the display under the control of the OOS is here also virtual in nature.
  • a secure operating system (SOS) is listening out permanently for various interruptions or interactions of software or hardware origin.
  • the SOS is distinguished from the OOS in that its microprogram (firmware) is of restricted and controlled distribution. It is possible to obtain a secure system by using a proprietary system or an open basic system but surmounted by a software layer that isolates the system from application accesses.
  • the degree of security offered by the SOS will be appreciated since a development of applications adapted to the SOS requires belonging to a limited circle of authorized persons and using specific or adapted development tools.
  • the secure operating system allocates, independently of the open operating system, in a substep 22 , a first zone of the screen to the first set of information and in substep 24 a second zone of the screen to a second set of information edited by the secure operating system.
  • the substep 22 is activated by a transition 21 validated by the reception of the display data coming from the OOS and the substep 24 is activated by a transition 23 validated by the reception of the display data coming from the SOS.
  • the screen 3 has a display surface of 640 pixels by 480 pixels
  • a reduced display surface of 640 pixels by 455 pixels is allocated to the zone 3 a and this reduced surface value is communicated to the OOS as being the total display surface available.
  • the remaining display surface of 640 pixels by 25 pixels is then allocated to the zone 3 b without the OOS having knowledge of this.
  • the values given above are given only by way of illustration and it will be understood that the implementer of the invention remains free to choose any other values.
  • a real display step 26 is activated by a transition 25 validated under the exclusive control of the secure operating system.
  • the two sets of information are transferred to the screen so that the second set of information is displayed in a secure fashion.
  • the secure operating system is advantageously hosted in a hardware component that isolates the open operating system in terms of direct access to the screen.
  • each of the zones on the screen results from an addressing in real video memory carried out at step 26 .
  • the second set of information is for example addressed to the first lines of the real video memory, which corresponds to the 640 by 25 pixels of the bottom of the screen and the first set of information is then addressed to the following lines of the real video memory, which correspond to the 640 by 455 pixels of the top part of the screen.
  • the situation of the second zone in this first position at the bottom of the screen is easily identifiable by a user.
  • action is taken not on the addresses but on the signals that are used for the refreshing of the screen, typically the clock signals, the control signals and/or the data signals.
  • No malevolent application that uses the resources offered by a first operating system, here the open operating system, can access the second zone, which is reserved for a second operating system, here the secure operating system.
  • the result is good qualities of credibility on the content displayed in the second zone.
  • the display method is improved in order to combat against any attack that would consist of covering the bottom of the screen with an adhesive tape or any other means and then launching a malevolent application that would display a false band at the bottom of the first zone so as to deceive the user.
  • the improvement consists of permuting alternately the first position with a second position previously covered by the first zone. This can be achieved for example by reversing the order of addressing in the real video memory. This is able to discourage fraudsters since now obscuring the top and bottom of the screen would result in a considerably reduced useful display surface.
  • the movement of the first zone that results from the permutation would have the effect of masking alternately one part of this zone.
  • the half cycle of the positions on the screen is not limited at the top and bottom but can also follow in a random or circular manner any side at the periphery of the screen either on the left or on the right or at the top or bottom.
  • the improvement consists of not restricting the size of the first zone in comparison with that of the screen.
  • the second zone is then displayed transparently overlapping on one or more points on the first zone.
  • This makes it possible to have available the greatest extent for displaying the image generated under the control of the OOS.
  • This also offers more possibilities for displaying the image generated under the control of the SOS. It is possible for example to make a banner move from top to bottom of the screen in order to indicate the security mode applying or to make one or more pictograms move at different points on the screen.
  • a degree of transparency can be modulated by means of coefficients whose parameterizing ranges from a glow to total obscuring (absence of transparency).
  • the zones ( 3 a ) and ( 3 b ) can thus have a non-zero intersection of any value.
  • electronic equipment such as the terminal 1 of FIG. 1 comprises a memory 7 wholly or partly of the random access memory type and a standard processor 6 , that is to say a processor commercially available.
  • the commercial availability of the documentation generally accompanying the processor does however make possible to study its vulnerabilities to the prejudice of security.
  • the processor 6 is wired with the memory 7 so as to be able to process the data stored therein.
  • the term “data” is to be taken in its widest sense and can designate both an address, a control register or an instruction, or a variable quantity.
  • a dedicated circuit 33 for example of the integrated circuit type for specific application (ASIC, the acronym for Application Specific Integrated Circuit) or a combination of specific and/or standard integrated circuits, uses a secure operating system. Mechanisms not described here can make it possible to detect hardware or software modifications of the OOS or to ensure functioning in accordance with what is expected for the SOS.
  • the secure operating system SOS
  • SOS is for example microprogrammed in the dedicated circuit 33 itself or in a rewritable etched memory (not shown) physically connected to the dedicated circuit 33 .
  • the SOS controls the signal reinitializing the processor 6 so as to block it in the event of detection of an attack.
  • the dedicated circuit 33 moreover accesses a test access port bus 37 , for example of the JTAG type (the acronym for Joint Test Action Group) wired to the processor 6 .
  • a test access port bus 37 for example of the JTAG type (the acronym for Joint Test Action Group) wired to the processor 6 .
  • Access from the circuit 33 to the bus 37 enables the SOS to install and launch an open operating system (OOS) core 10 in memory 7 in order to be executed by the processor 6 .
  • OOS open operating system
  • the bus 37 is also used by the SOS in order to authenticate the core of the OOS on booting.
  • the OOS for its part is configured to validate if necessary signatures of applications loaded in memory 7 .
  • the SOS In the event of detection of an attack on the OOS, it is for example possible to allow the SOS to cease sharing with the OOS so as to take complete control of the display, or even to neutralize the OOS or to reload a default version of the OOS. This further increases the security of use.
  • the memory 7 also contains peripheral drivers to enable the OOS to control peripherals of lesser sensitivity such as the power management, audio properties or a serial link, possibly sharing some with the SOS if necessary, for example wireless connections 4 , an Ethernet coupler or the display on the screen 3 with regard to which additional information will be given in the remainder of the description.
  • peripheral drivers to enable the OOS to control peripherals of lesser sensitivity such as the power management, audio properties or a serial link, possibly sharing some with the SOS if necessary, for example wireless connections 4 , an Ethernet coupler or the display on the screen 3 with regard to which additional information will be given in the remainder of the description.
  • the most sensitive peripherals such as for example the card reader 5 , a biometric detector if such exists, numeric keys on the keypad 2 or on the touch screen 3 , are under the sole control of the SOS.
  • the SOS also controls other peripherals, sharing some with the OOS; these are for example a printer, functional keys on the keypad 2 , a modem or the backup battery.
  • the dedicated circuit 33 has a command 35 for switching, by means of a switch 27 , the data exchanged with a touch pad combined with the screen or possibly certain keys on the keypad 2 , either to a link 8 to the OOS or to a link 9 to the SOS.
  • the link 9 is connected to the dedicated circuit 33 for the case where the latter hosts the SOS.
  • a possible alternative to the hardware architecture described with reference to FIG. 3 can be achieved functionally by hosting the SOS in memory 7 . It is then preferable in this case to give the SOS a highly secure control of the memory 7 , for example by means of a protective structure in rings on a model similar to that taught by the patent EP 0208199 B1 or by means of memory management unit (MMU, standing for memory management unit).
  • the switch 27 can be produced in software form in a security layer of the SOS.
  • Control of the touch pad is requisitioned by the SOS on detection of an event that may take place on switching into secure mode such as for example an introduction of a chip card in the reader 5 or a passage of a magnetic strip card. It should be noted that it is not necessary to introduce the card into a slot as for example in the case of a contactless card. According to the technology employed, different variants are envisaged to enable the SOS to requisition the touch pad. It is possible to cite a permanent control of the touch pad by the SOS, including in non-secure mode, during which the SOS then purely and simply retransmits the signals coming from the touch pad to the OOS. This permanent control then enables the SOS to no longer transmit the signals to the OOS in secure mode. A switching of the touch pad to the OOS in non-secure mode and to the SOS in secure mode can also be cited.
  • the screen 3 being designed to display a set of information edited by the operating system 10
  • the OOS has a display driver 13 resident in memory 7 .
  • a display driver is configured to order the information in a display video memory 34 , the periodic scanning of which transfers the information onto the screen 3 like a mirror.
  • An advantageous mechanism for implementing the security display device prevents direct access of the OOS to the real video memory 34 .
  • the display driver 13 is then configured so that the information edited by the OOS is sent into a virtual video memory (VVM) 28 .
  • VVM virtual video memory
  • the virtual video memory 28 is then used at the input of a filter arranged to allocate, independently of the open operating system, a first zone 3 a of the screen to the first set of information edited by the open operating system.
  • the filter makes it possible to allocate a second zone 3 b of the screen to a second set of information edited by the secure operating system.
  • the filter can be produced in various ways.
  • a direct memory access mechanism 30 (DMA, standing for Direct Memory Access) accelerates the transfer from the virtual video memory 28 to the screen, passing through the real video memory 34 .
  • DMA Direct Memory Access
  • Other ways of implementing the filter will be disclosed later in the description.
  • a command 36 of the DMA under the control of the SOS makes it possible to arrange the real video memory 34 so as to transfer the two sets of information to the screen under the exclusive control of the secure operating system. In this way a secure display of the second set of information is produced since, the second zone 3 b being inaccessible to the OOS, no application executable by means of the OOS can introduce false information therein.
  • the protection of the display device results from the combination of the virtual video memory 28 , the filter associating the dedicated circuit 33 with a direct memory access in memory 28 and the real virtual memory 34 , which each constitute a hardware component arranged to isolate the open operating system in terms of direct access to the screen 3 by means of the secure operating system.
  • This embodiment offers a better degree of confidence that the one naturally granted to a logical implementation since no breakdown, no software intrusion can enable a malevolent application in the open world to access the protected zone of the screen.
  • the filter in software form in a layer with a high degree of protection of the ring structure or MMU control.
  • the SOS for example allocates the various zones by translation of addresses.
  • the second zone is represented by a banner situated at the bottom of the screen 3 , which constitutes a first position easily identifiable by a user.
  • the SOS controls the DMA so as to copy the information extracted from the memory 25 at addresses at the head of the memory 34 and the information signalling the secure or non-secure mode at addresses at the tail of the memory 34 .
  • the SOS can requisition other zones inside the one normally attributed to the OOS, for example in order to overlay a secret code entry window, naturally when the SOS instructs that secure mode should be displayed so as to remove any ambiguity on the confidence to be granted to the entry window.
  • the SOS In order to permute alternately the first position with a second position previously covered by the first zone, it suffices for the SOS to simply modify the addresses of the memory 34 into which it will transfer the information edited by the OOS and that edited by the SOS.
  • the zone 3 b passes from the bottom of the screen to the top of the screen, the zone 3 a is shifted downwards and vice versa.
  • the permutation frequency is sufficiently low not to disturb the user.
  • the permutation frequency can be parameterized with the possibility of being embellished with a random or pseudo-random component and/or a detection of user activity so as to fix a positioning during the interaction of the user with any one of the zones of the screen.
  • the touch pad is sampled in the form of measurements by the operating system, which establishes a match with a pressed or touched region of the screen.
  • This makes it possible for example to associate a command with an image or to recognize a manuscript signature traced by the user on the screen.
  • This place is identified firstly by the coordinates of the pressure detected on the screen, that is to say on the touch pad, and secondly by the coordinates of the image on the screen, that is to say more exactly in the first zone attributed to the OOS.
  • a movement of the first zone on the screen causes a translation of the real coordinates of the image.
  • the device is arranged to translate the coordinates of the pressure point according to the position of the first zone so as to restore the match of the pressure point with the image that suits.
  • the mechanism that has just been described shows an additional advantage of a display of the second zone by superimposition on the first zone.
  • the virtual coordinates that is to say the coordinates as seen by the operating system, being by virtue of the display by superimposition the same as the real display coordinates on the screen, it is no longer necessary to use a complicated mechanism for restoring the match of the pressure point on a touch screen with the image that suits.
  • the device comprises a first standard component in which the standard processor 6 is connected to the memory 7 by a system bus 19 .
  • a DMA element 16 connected to the bus 19 makes it possible to make transfers from the memory 7 to a video memory 14 , also connected to the bus 19 .
  • the video memory 14 is connected to a video controller 15 normally provided for being connected to a screen.
  • the standard processor 6 is provided for executing an open operating system.
  • the device also comprises a second component similar to the previous one and in which a bus 29 connects a random access memory 32 to a video memory 34 that is connected to a video controller 38 .
  • a secure processor 31 that is connected to the bus 29 . It is possible to choose from several means for protecting a processor or combining all or some of these various means.
  • a first means consists of designing the processor itself with an architecture of the proprietor type.
  • a second means consists of protecting the whole of the second component in a box physically resistant to intrusions or capable of detecting them and if necessary making a suitable response to them.
  • a third means consists of providing the processor with a secure operating system as defined previously.
  • the video controller 38 controls the whole of the screen 3 by transmitting to it in a known manner a clock signal for synchronization, a frame signal and a pixel signal in a frame which codes the light and/or color components.
  • a filter 17 is connected firstly to the bus 19 and secondly to the bus 29 .
  • the DMA element 16 is parameterized so as to transfer the video data to the filter 17 instead of transferring them to the video memory 14 .
  • the filter 17 is controlled by the processor 31 (a control represented by the arrow in a single direction going from the bus 29 to the filter 17 ) so as to combine the video data generated under the control of the open operating system with the video data generated under the control of the secure operating system.
  • the video data generated under the control of the open operating system are those coming from the bus 19 and the video data generated under the control of the secure operating system are those coming from the bus 29 .
  • the combination can consist of:
  • a DMA element 18 is parameterised so as to transfer to the filter 17 the video data coming from the memory 32 or directly from the processor 31 and to transfer to the memory 34 the video data combined by the filter 17 .
  • the signals generated by the video controller 38 are rerouted to a filter 39 .
  • the signals generated by the video controller 15 are rerouted to the filter 39 .
  • the DMA element 16 is parameterized in a standard fashion so as to transfer the video data to the video memory 14 .
  • the filter 39 is controlled by the processor 31 (a control represented by the arrow in a single direction going from the bus 29 to the filter 39 ) so as to combine video signals generated under the control of the open operating system with video signals generated under the control of the secure operating system.
  • the video signals generated under the control of the open operating system are those coming from the video controller 15 and the video signals generated under the control of the secure operating system are those coming from the video controller 38 .
  • the combination can consist of:
  • the filter 39 transmits them to the screen 3 just as a video controller would have done.
  • This implementation makes it possible to exploit all the display functionalities of the first component such as for example graphical acceleration or 3D display functionalities provided as a basic thing in tandem with the video controller 15 in many commercially available components.
  • An aspect of the disclosure provides a display method that allies ergonomics and security in the presentation of information.

Abstract

A secure display device is designed to display on a screen a first set of information edited by an open operating system. A secure operating system resident in a dedicated circuit edits a second set of information. A filter allocates, independently of the open operating system, a first zone of the screen to the first set of information and a second zone of the screen to the second set of information. The zones and can have a non-zero intersection and any value. A real video memory is used for transferring the two sets of information to the screen under the sole control of the secure operating system so as to produce a secure display of the second set of information.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • None.
  • FIELD OF THE DISCLOSURE
  • The present disclosure concerns the equipment used for performing actions that involve or relate to objects of a confidential nature. By way of illustration, payment actions that involve a bank account number or that relate to the entry of a confidential code or to an amount to be debited or credited can be cited. Other actions can be cited such as for example actions, of a medical or civil nature, that relate to biological or patrimonial data particular to an individual.
  • BACKGROUND OF THE DISCLOSURE
  • The natural tendency is preferably to trust equipment particularly armoured against various intrusions or attacks. This can be achieved at various levels. At the level of the physical constitution of the equipment, this can be in a tamper-proof box, resistant to intrusion (tamper resistant), or leaving a visible trace of any attempt at sabotage (tamper evidence), or affording a response adapted to a detection of intrusion (tamper responsive). At the level of the functional constitution, the sensitive data are generally enciphered and their processing is subject to cryptographic protocols. A correct degree of security is obtained by using solely electronic circuits etched in the mass. A minimum of precautions is to be taken if it is wished to improve the flexibility of use of the equipment. It is normally preferred to use software components able to be used by means of secure operating systems inaccessible to third parties.
  • The flexibility of use offered by the equipment disclosed above remains limited. In a world containing a vast amount of various items of electronic equipment such as mobile telephones, personal assistants or microcomputers, a comparable need for flexibility is felt for equipment intended to be used for performing actions that involve or relate to objects of a confidential nature. It is known that the operating systems commonly referred to as open because of their wide distribution offer an appreciable abundance of useful and user-friendly applications that it would be advantageous to be able to use to satisfy this requirement. This opening up to other software applications than those strictly protected have the drawback of putting security in jeopardy. Thus a malevolent application or one contaminated by malevolent execution sequences could spy on and betray the security processes of the equipment.
  • There exist solutions that consist of systematically authorizing only duly signed applications, to be executed in the equipment. The well known mechanism of signatures generally involves certificates checked by trustworthy bodies to guarantee the integrity of the signed application. This type of solution in fact restricts the quality of opening up of the operating system preventing also execution of applications that are not necessarily malevolent and that it would be agreeable not to be deprived of.
  • There also exist solutions that consist of making the equipment function in two different modes, a completely open mode and a secure mode that is reserved for security applications such as those for performing actions that involve or relate to objects of a confidential nature.
  • The use of an open operating system is generally accompanied by that of a graphical screen for displaying various items of information. Such a screen offers a possibility of particularly expressive display of the mode, secure or otherwise, in which the equipment is situated. In order to inform a user of the equipment of the active mode, an indicator light would have the drawback of having to educate the user on the attention to be paid to this indicator light and on the interpretation to give to it in order to distinguish open mode from secure mode. It may also be thought of displaying a pictogram, associated or not with a text in the language of the user. However, such a type of display poses a problem of compatibility, in terms of security, with an opening offered to any application. In open operating mode of the terminal, a malevolent application could corrupt the display so as to deceive the user by displaying a secure mode in which the terminal is not situated. An absence of certainty about the mode in which the terminal is situated presents a considerable drawback.
  • It would be possible to think of using two screens, one for open mode and one for secure mode. Apart from the drawbacks caused in terms of costs and size, this solution would require the user to survey two different screens. This solution would also be vulnerable to certain attacks consisting of putting a shield on the screen allocated to secure mode so as to deceive an uninformed user by displaying a false secure mode on the screen attributed to open mode.
  • SUMMARY
  • An aspect of the present disclosure relates to a method of secure display on a screen designed to display a first set of information edited by a first operating system. This method comprises a filtering step in which an element allocates, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to a second set of information edited by a second operating system. The filtering step is combined with a real display step in which the two sets of information are transferred to the screen under the exclusive control of the second operating system so as to produce a secure display of the second set of information.
  • According to preferred embodiments, the method comprises one or more of the following characteristics:
  • The first operating system is an open operating system and the second operating system is a secure operating system.
  • In a virtual display step, the first set of information is written in a virtual video memory under the control of the first operating system and the content of which is accessible to the second operating system.
  • According to an alternative, in a virtual display step, the first step of information is written in a real video memory under the control of the first operating system so as to be able to combine the first video signals that result therefrom with second video signals that result from the second set of information under the control of the second operating system.
  • The secure operating system is hosted in a hardware component that isolates the open operating system in terms of direct access to the screen.
  • The second zone is situated on the screen at a first position easily identifiable by a user.
  • The first position is alternately permuted with a second position previously covered by the first zone.
  • The second zone is superimposed with or without transparency on the first zone at one or more positions on the screen.
  • At least one of said positions is moving on the screen.
  • A device for secure display on a screen designed to display a first set of information edited by a first operating system comprises a filter arranged to allocate, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to the second set of information edited by a second operating system and for transferring the two sets of information to the screen under the sole control of the second operating system so as to produce a secure display of the second set of information.
  • In particular the first operating system of the device is open and the second operating system of the device is secure.
  • The filter comprises at the input a virtual video memory arranged to receive the first set of information under the control of the first open operating system and at the output a real video memory for combining the two sets of information.
  • The filter is arranged to receive first video data generated by a standard processor and second video data generated by a secure processor, and to transfer into a video memory a combination of the first and second video data.
  • The filter is arranged to receive first video signals coming from a first video controller and second video signals coming from a second video controller, and to transfer onto the screen a combination of the first and second video signals.
  • The filter is arranged to place the second zone on the screen at a first position easily identifiable by a user.
  • The filter is arranged to permute said first position alternately with a second position previously covered by the first zone.
  • The filter is arranged to superimpose with or without transparency the second zone on the first zone at one or more positions on the screen.
  • The filter is arranged to make at least one of said positions move on the screen.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • Other characteristics and advantages will emerge from a reading of the following description of a preferred embodiment given by way of example and with reference to the accompanying drawing.
  • FIG. 1 depicts schematically an example of a terminal in which it is useful to implement an embodiment of the invention.
  • FIG. 2 depicts steps of the method according to an embodiment of the invention.
  • FIG. 3 depicts a first diagram of a device according to an embodiment of the invention.
  • FIG. 4 depicts a second diagram of a device according to an embodiment of the invention.
  • FIG. 5 depicts a third diagram of a device according to an embodiment of the invention.
  • DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS
  • A description will now be given of an example of implementation of a device for secure display on a screen designed to display a first set of information edited by a first operating system. There will be noted in the device a filter arranged to allocate, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to a second set of information edited by a second operating system and to transfer the two sets of information to the screen under the sole control of the second operating system so as to produce a secure display of the second set of information.
  • With reference to FIG. 1, a payment terminal 1 comprises a keyboard 2, a screen 3, a communication coupler 4 and a chip card, magnetic card or contactless card reader 5. A payment terminal also comprises other elements not shown here such as for example a printer. The screen 3 is advantageously equipped with a touch pad that makes it possible to perform numeric key functions similar to those of a keypad by pressing on a point on the screen marked by a particular image.
  • For example, a user introduces his chip card into the reader 5 through a slot, looks at a transaction amount displayed on the screen 3 and, if he is in agreement with paying this amount, enters his PIN code by entering the figures on the keys on the keypad and validating this code by means of a key provided for this purpose. The terminal then checks the validity of the code by dialoguing with the chip and debits the account of the user by dialoguing in addition with a remote server, not shown, by means of the communication coupler 4. The communication coupler 4 is of a cabled nature such as is sometimes encountered at the tills in large stores or of a wireless nature by means of example of electromagnetic waves.
  • In the case of a mobile telephone, a chip resident in the telephone and a communication coupler 4 consisting of its normal antenna, an embodiment of the invention is advantageous for warding against malevolent applications that might send a confidential code of the user, for example by text message (SMS).
  • It is advantageous to equip the terminal 1 with an open operating system. The term “open” is to be taken in its widest sense commonly adopted in the user world. In other words, the term of course designates truly open operating systems such as the original UNIX and LINUX systems. Here the term “open” also designates systems that are widely available commercially such as for example different versions of Microsoft Windows™. Although the source programs of the core and many primitives of such operating systems remain under the control of the proprietor, common sense attributes the term “open” to them since sufficient accesses to the operating system are widely disseminated. This wide dissemination makes it possible to develop many applications and many hardware platforms that appreciably enhance the availability of product materials and that in some way establish a wide collectivity of users and develop developers who share common environments. At the present time such operating systems have adopted the habit of developing graphical interfaces prized for their user friendliness and flexibility. It is then possible to integrate accesses to so-called commercial applications as depicted in FIG. 1, a spreadsheet, a calculator, a telecommunication application or various multimedia applications. However, the opening of such operating systems to numerous applications has the counterpart of also offering access to malevolent applications such as spy software or other unpleasant viruses.
  • So as to make it possible to acquire, process and communicate sensitive data by display or transmission without having to fear interference by a malevolent application, the equipment goes into secure mode, which it displays on a banner or pictogram. The function of the banner or pictogram is to indicate the mode, secure or non-secure, in which the terminal is situated. Here the banner is for example displayed at the bottom of the screen 3, which constitutes a position easily identifiable by the user. Other easily identifiable positions exist, for example at the top, at the right, or the left or moving from top to bottom of the screen 3. Types of sensitive data in the case of a payment terminal include of course the account data and the bankcard code. It is possible also to think of other types of data such as non-limitatively medical, biometric or social data.
  • There exist many advantages in displaying a band, banner or other graphics on the screen rather than switching an indicator light on or off, possibly in different colours. The indicator light risks being easily masked. Moreover, the indicator light would require the user to know the meanings thereof without ambiguity whereas on a band it suffices to inscribe a clear text “secure mode” or “non-secure mode” possibly adorned with known signs such as an open or closed padlock. An on-screen display is not fixed, the language or size of font can be adjusted according to the users. Moreover, the users, habituated to directing their gaze onto the screen, find a convenient environment that prevents them distracting their gaze towards other places on the equipment. By virtue of the protection offered by an embodiment of the invention, the modularity that has just been disclosed can be used with a highly appreciably degree of security.
  • With reference to FIG. 2, preferred steps for implementing a method for secure display on a screen designed to display a first set of information edited by a first operating system are now explained. A filtering step will be noted in which an element allocates, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to a second set of information edited by a second operating system. The filtering step is combined with a real display step in which the two sets of information are transferred to the screen under the sole control of the second operating system so as to produce a secure display of the second set of information.
  • In this way, the second operating system can be an obstacle to corruption of the display of the second set of information by an application executed in the environment of the first operating system.
  • To implement the method, a screen is used such as the screen 3 normally provided for displaying a set of information edited by an open operating system. This information results from applications that are installed to use the resources of the operating system where, as seen previously, the term “open” relates essentially to the fact that sufficient components are disseminated to make it possible to develop a wide range of applications which, often in the absence of evaluation from the point of view of security, offer no guarantee with regard to the use that they make of resources of the system. One advantage however is that the display of the information benefits from graphics familiar to the user and allows many interventions by the user by means of the keyboard 2 or touch characteristics of the screen itself.
  • In a usual step 10, the open operating system (OOS) is listening out permanently for various interruptions or interactions of software or hardware origin. The interactions of hardware origin are those that concern peripherals, in the wide sense, catalogued by a program normally triggered when the operating system is launched and called BIOS, the acronym for “basic input output system” in order to express “basic input output system”.
  • A transition 11 validated at each interaction of an application for displaying information activates a step 12. Step 12 is generally executed by a display driver installed with the OOS. Normally, the display driver transcribes the information received in a video memory periodically scanned by a screen control circuit. So as to prepare the following steps of the method, the display driver of the OOS is configured to transcribe the information received in a virtual video memory. The virtual video memory is for example simply a reserved zone of the memory controlled by the OOS towards which the display driver of the OOS parameterized for this purpose reroutes the data to be displayed. So as to be able to execute the filtering step, the content of the virtual memory is made accessible at least in read mode to the secure operating system. In step 12, the display under the control of the OOS is then virtual in nature. In contradistinction to a real display where the image reproduced on the screen is the one actually generated under the control of the OOS, in the case of a virtual display an image is not reproduced on the screen as generated. Another way of preparing the following steps of the method is to configure the display driver in order to transcribe the information received in a real video memory connected to a video controller. Contrary to the custom where the video controller is connected to the screen, the video controller is connected to a component for processing the information so that, in step 12, the display under the control of the OOS is here also virtual in nature.
  • In a step 20 independent of the OOS, a secure operating system (SOS) is listening out permanently for various interruptions or interactions of software or hardware origin. The SOS is distinguished from the OOS in that its microprogram (firmware) is of restricted and controlled distribution. It is possible to obtain a secure system by using a proprietary system or an open basic system but surmounted by a software layer that isolates the system from application accesses. The degree of security offered by the SOS will be appreciated since a development of applications adapted to the SOS requires belonging to a limited circle of authorized persons and using specific or adapted development tools.
  • In a filtering step, the secure operating system allocates, independently of the open operating system, in a substep 22, a first zone of the screen to the first set of information and in substep 24 a second zone of the screen to a second set of information edited by the secure operating system.
  • The substep 22 is activated by a transition 21 validated by the reception of the display data coming from the OOS and the substep 24 is activated by a transition 23 validated by the reception of the display data coming from the SOS.
  • If for example the screen 3 has a display surface of 640 pixels by 480 pixels, a reduced display surface of 640 pixels by 455 pixels is allocated to the zone 3 a and this reduced surface value is communicated to the OOS as being the total display surface available. The remaining display surface of 640 pixels by 25 pixels is then allocated to the zone 3 b without the OOS having knowledge of this. Naturally the values given above are given only by way of illustration and it will be understood that the implementer of the invention remains free to choose any other values. As will be seen subsequently, it is also possible to allocate all the surface of the screen to the zone 3 a and to allocate screen parts not necessarily related to the zone 3 b.
  • A real display step 26 is activated by a transition 25 validated under the exclusive control of the secure operating system. In step 26 the two sets of information are transferred to the screen so that the second set of information is displayed in a secure fashion.
  • So as to improve the security of the method, the secure operating system is advantageously hosted in a hardware component that isolates the open operating system in terms of direct access to the screen.
  • The situation of each of the zones on the screen results from an addressing in real video memory carried out at step 26. Taking the numerical example mentioned above simply in order to illustrate the argument, the second set of information is for example addressed to the first lines of the real video memory, which corresponds to the 640 by 25 pixels of the bottom of the screen and the first set of information is then addressed to the following lines of the real video memory, which correspond to the 640 by 455 pixels of the top part of the screen. Thus the situation of the second zone in this first position at the bottom of the screen is easily identifiable by a user.
  • In a case where the virtuality of the display is obtained not by the rerouting of the image information at the input of the video memory but by rerouting at the output of the video controller, action is taken not on the addresses but on the signals that are used for the refreshing of the screen, typically the clock signals, the control signals and/or the data signals.
  • No malevolent application that uses the resources offered by a first operating system, here the open operating system, can access the second zone, which is reserved for a second operating system, here the secure operating system. The result is good qualities of credibility on the content displayed in the second zone.
  • In a first preferred embodiment, the display method is improved in order to combat against any attack that would consist of covering the bottom of the screen with an adhesive tape or any other means and then launching a malevolent application that would display a false band at the bottom of the first zone so as to deceive the user. The improvement consists of permuting alternately the first position with a second position previously covered by the first zone. This can be achieved for example by reversing the order of addressing in the real video memory. This is able to discourage fraudsters since now obscuring the top and bottom of the screen would result in a considerably reduced useful display surface. In addition, the movement of the first zone that results from the permutation would have the effect of masking alternately one part of this zone. In order to avoid unnecessarily fatiguing the user with a movement of the security band, it is possible to provide a frequency with a fairly low half cycle ranging from one minute to a week but preferentially random or pseudo-random and consequently unpredictable for a fraudster. Likewise the half cycle of the positions on the screen is not limited at the top and bottom but can also follow in a random or circular manner any side at the periphery of the screen either on the left or on the right or at the top or bottom.
  • In a second preferred embodiment, the improvement consists of not restricting the size of the first zone in comparison with that of the screen. The second zone is then displayed transparently overlapping on one or more points on the first zone. This makes it possible to have available the greatest extent for displaying the image generated under the control of the OOS. This also offers more possibilities for displaying the image generated under the control of the SOS. It is possible for example to make a banner move from top to bottom of the screen in order to indicate the security mode applying or to make one or more pictograms move at different points on the screen. A degree of transparency can be modulated by means of coefficients whose parameterizing ranges from a glow to total obscuring (absence of transparency). The zones (3 a) and (3 b) can thus have a non-zero intersection of any value.
  • With reference to FIG. 3, electronic equipment such as the terminal 1 of FIG. 1 comprises a memory 7 wholly or partly of the random access memory type and a standard processor 6, that is to say a processor commercially available. The commercial availability of the documentation generally accompanying the processor does however make possible to study its vulnerabilities to the prejudice of security. The processor 6 is wired with the memory 7 so as to be able to process the data stored therein. The term “data” is to be taken in its widest sense and can designate both an address, a control register or an instruction, or a variable quantity.
  • A dedicated circuit 33, for example of the integrated circuit type for specific application (ASIC, the acronym for Application Specific Integrated Circuit) or a combination of specific and/or standard integrated circuits, uses a secure operating system. Mechanisms not described here can make it possible to detect hardware or software modifications of the OOS or to ensure functioning in accordance with what is expected for the SOS. By way of example, the secure operating system (SOS) is for example microprogrammed in the dedicated circuit 33 itself or in a rewritable etched memory (not shown) physically connected to the dedicated circuit 33. The SOS controls the signal reinitializing the processor 6 so as to block it in the event of detection of an attack. The dedicated circuit 33 moreover accesses a test access port bus 37, for example of the JTAG type (the acronym for Joint Test Action Group) wired to the processor 6. Access from the circuit 33 to the bus 37 enables the SOS to install and launch an open operating system (OOS) core 10 in memory 7 in order to be executed by the processor 6. The bus 37 is also used by the SOS in order to authenticate the core of the OOS on booting. The OOS for its part is configured to validate if necessary signatures of applications loaded in memory 7. In the event of detection of an attack on the OOS, it is for example possible to allow the SOS to cease sharing with the OOS so as to take complete control of the display, or even to neutralize the OOS or to reload a default version of the OOS. This further increases the security of use.
  • The memory 7 also contains peripheral drivers to enable the OOS to control peripherals of lesser sensitivity such as the power management, audio properties or a serial link, possibly sharing some with the SOS if necessary, for example wireless connections 4, an Ethernet coupler or the display on the screen 3 with regard to which additional information will be given in the remainder of the description.
  • The most sensitive peripherals such as for example the card reader 5, a biometric detector if such exists, numeric keys on the keypad 2 or on the touch screen 3, are under the sole control of the SOS. The SOS also controls other peripherals, sharing some with the OOS; these are for example a printer, functional keys on the keypad 2, a modem or the backup battery.
  • The dedicated circuit 33 has a command 35 for switching, by means of a switch 27, the data exchanged with a touch pad combined with the screen or possibly certain keys on the keypad 2, either to a link 8 to the OOS or to a link 9 to the SOS. In FIG. 3 the link 9 is connected to the dedicated circuit 33 for the case where the latter hosts the SOS.
  • A possible alternative to the hardware architecture described with reference to FIG. 3 can be achieved functionally by hosting the SOS in memory 7. It is then preferable in this case to give the SOS a highly secure control of the memory 7, for example by means of a protective structure in rings on a model similar to that taught by the patent EP 0208199 B1 or by means of memory management unit (MMU, standing for memory management unit). According to this alternative, the switch 27 can be produced in software form in a security layer of the SOS.
  • Control of the touch pad is requisitioned by the SOS on detection of an event that may take place on switching into secure mode such as for example an introduction of a chip card in the reader 5 or a passage of a magnetic strip card. It should be noted that it is not necessary to introduce the card into a slot as for example in the case of a contactless card. According to the technology employed, different variants are envisaged to enable the SOS to requisition the touch pad. It is possible to cite a permanent control of the touch pad by the SOS, including in non-secure mode, during which the SOS then purely and simply retransmits the signals coming from the touch pad to the OOS. This permanent control then enables the SOS to no longer transmit the signals to the OOS in secure mode. A switching of the touch pad to the OOS in non-secure mode and to the SOS in secure mode can also be cited.
  • The screen 3 being designed to display a set of information edited by the operating system 10, the OOS has a display driver 13 resident in memory 7. Normally, such a display driver is configured to order the information in a display video memory 34, the periodic scanning of which transfers the information onto the screen 3 like a mirror.
  • An advantageous mechanism for implementing the security display device according to an embodiment of the invention prevents direct access of the OOS to the real video memory 34. The display driver 13 is then configured so that the information edited by the OOS is sent into a virtual video memory (VVM) 28.
  • The virtual video memory 28 is then used at the input of a filter arranged to allocate, independently of the open operating system, a first zone 3 a of the screen to the first set of information edited by the open operating system. The filter makes it possible to allocate a second zone 3 b of the screen to a second set of information edited by the secure operating system.
  • The filter can be produced in various ways. By way of illustration, the use of a direct memory access mechanism 30 (DMA, standing for Direct Memory Access) accelerates the transfer from the virtual video memory 28 to the screen, passing through the real video memory 34. Other ways of implementing the filter will be disclosed later in the description.
  • A command 36 of the DMA under the control of the SOS makes it possible to arrange the real video memory 34 so as to transfer the two sets of information to the screen under the exclusive control of the secure operating system. In this way a secure display of the second set of information is produced since, the second zone 3 b being inaccessible to the OOS, no application executable by means of the OOS can introduce false information therein.
  • With reference to FIG. 3, the protection of the display device results from the combination of the virtual video memory 28, the filter associating the dedicated circuit 33 with a direct memory access in memory 28 and the real virtual memory 34, which each constitute a hardware component arranged to isolate the open operating system in terms of direct access to the screen 3 by means of the secure operating system. This embodiment offers a better degree of confidence that the one naturally granted to a logical implementation since no breakdown, no software intrusion can enable a malevolent application in the open world to access the protected zone of the screen.
  • In a case of the alternative previously disclosed where a mechanism of the ring protection type or by MMU is involved, it is possible to conceive an embodiment of the filter in software form in a layer with a high degree of protection of the ring structure or MMU control. Associated or not with the management of the keypad, the SOS for example allocates the various zones by translation of addresses.
  • It will be noted in FIG. 1 that the second zone is represented by a banner situated at the bottom of the screen 3, which constitutes a first position easily identifiable by a user. If the screen is a line by line reproduction of the memory 34, the SOS controls the DMA so as to copy the information extracted from the memory 25 at addresses at the head of the memory 34 and the information signalling the secure or non-secure mode at addresses at the tail of the memory 34. By virtue of the device disclosed above, it will be understood that the SOS can requisition other zones inside the one normally attributed to the OOS, for example in order to overlay a secret code entry window, naturally when the SOS instructs that secure mode should be displayed so as to remove any ambiguity on the confidence to be granted to the entry window.
  • In order to permute alternately the first position with a second position previously covered by the first zone, it suffices for the SOS to simply modify the addresses of the memory 34 into which it will transfer the information edited by the OOS and that edited by the SOS. When the zone 3 b passes from the bottom of the screen to the top of the screen, the zone 3 a is shifted downwards and vice versa. The permutation frequency is sufficiently low not to disturb the user. Advantageously the permutation frequency can be parameterized with the possibility of being embellished with a random or pseudo-random component and/or a detection of user activity so as to fix a positioning during the interaction of the user with any one of the zones of the screen. The touch pad is sampled in the form of measurements by the operating system, which establishes a match with a pressed or touched region of the screen. This makes it possible for example to associate a command with an image or to recognize a manuscript signature traced by the user on the screen. This place is identified firstly by the coordinates of the pressure detected on the screen, that is to say on the touch pad, and secondly by the coordinates of the image on the screen, that is to say more exactly in the first zone attributed to the OOS. A movement of the first zone on the screen causes a translation of the real coordinates of the image. In order to put the coordinates of the image in agreement with those of the pressure point, the device is arranged to translate the coordinates of the pressure point according to the position of the first zone so as to restore the match of the pressure point with the image that suits.
  • The mechanism that has just been described shows an additional advantage of a display of the second zone by superimposition on the first zone. The virtual coordinates, that is to say the coordinates as seen by the operating system, being by virtue of the display by superimposition the same as the real display coordinates on the screen, it is no longer necessary to use a complicated mechanism for restoring the match of the pressure point on a touch screen with the image that suits.
  • With reference to FIG. 4, the device comprises a first standard component in which the standard processor 6 is connected to the memory 7 by a system bus 19. A DMA element 16 connected to the bus 19 makes it possible to make transfers from the memory 7 to a video memory 14, also connected to the bus 19. Moreover the video memory 14 is connected to a video controller 15 normally provided for being connected to a screen. The standard processor 6 is provided for executing an open operating system.
  • The device also comprises a second component similar to the previous one and in which a bus 29 connects a random access memory 32 to a video memory 34 that is connected to a video controller 38. Unlike the first component, it is a secure processor 31 that is connected to the bus 29. It is possible to choose from several means for protecting a processor or combining all or some of these various means. A first means consists of designing the processor itself with an architecture of the proprietor type. A second means consists of protecting the whole of the second component in a box physically resistant to intrusions or capable of detecting them and if necessary making a suitable response to them. A third means consists of providing the processor with a secure operating system as defined previously.
  • In the implementation explained with reference to FIG. 4, the video controller 38 controls the whole of the screen 3 by transmitting to it in a known manner a clock signal for synchronization, a frame signal and a pixel signal in a frame which codes the light and/or color components. A filter 17 is connected firstly to the bus 19 and secondly to the bus 29. The DMA element 16 is parameterized so as to transfer the video data to the filter 17 instead of transferring them to the video memory 14. The filter 17 is controlled by the processor 31 (a control represented by the arrow in a single direction going from the bus 29 to the filter 17) so as to combine the video data generated under the control of the open operating system with the video data generated under the control of the secure operating system. The video data generated under the control of the open operating system are those coming from the bus 19 and the video data generated under the control of the secure operating system are those coming from the bus 29. According to the variant adopted among those previously disposed, the combination can consist of:
      • attributing distinct display coordinates X, Y to the two types of video data (coming from the bus 19 and coming from the bus 29), in a fixed or movable fashion;
      • sharing certain display coordinates X, Y for at least some of the two types of video data by mixing the signals, for example by adding them so as to create a transparent overlap effect, here also in a fixed or movable fashion.
  • As the video data are gradually combined, the filter 17 transmits them to the video memory 34 via the bus 29. So as to improve the fluidity of the image and to relieve the processor 31, a DMA element 18 is parameterised so as to transfer to the filter 17 the video data coming from the memory 32 or directly from the processor 31 and to transfer to the memory 34 the video data combined by the filter 17.
  • In the implementation explained with reference to FIG. 5, the signals generated by the video controller 38 are rerouted to a filter 39. Likewise the signals generated by the video controller 15 are rerouted to the filter 39. The DMA element 16 is parameterized in a standard fashion so as to transfer the video data to the video memory 14. The filter 39 is controlled by the processor 31 (a control represented by the arrow in a single direction going from the bus 29 to the filter 39) so as to combine video signals generated under the control of the open operating system with video signals generated under the control of the secure operating system. The video signals generated under the control of the open operating system are those coming from the video controller 15 and the video signals generated under the control of the secure operating system are those coming from the video controller 38. According to the variant adopted among those previously disclosed, the combination can consist of:
      • acting on the clock signal in a constant or variable manner so as to switch the two types of video signal (coming from the controller 15 and coming from the controller 38) to distinct parts of the screen 3;
      • for each of all or some of the pixels of the screen 3, mixing the signals, for example by adding them so as to create a transparent overlap effect. The mobility of the pictogram or of the security banner and the positioning of a security entry window can then be fully managed by an application under the control of the SOS by displaying its image on a neutral background, the two operating systems having available all the display surface.
  • As the video signals are gradually combined, the filter 39 transmits them to the screen 3 just as a video controller would have done. This implementation makes it possible to exploit all the display functionalities of the first component such as for example graphical acceleration or 3D display functionalities provided as a basic thing in tandem with the video controller 15 in many commercially available components.
  • In terms of putting into industrial production, the possibility offered by an embodiment of the invention of reconciling the user friendliness of numerous items of information processing equipment produced on a large scale with the robustness required for secure processing of sensitive information will be appreciated.
  • An aspect of the disclosure provides a display method that allies ergonomics and security in the presentation of information.
  • Naturally, the present invention is not limited to the examples and embodiments described and depicted but is capable of many variants accessible to persons skilled in the art. Although the present disclosure has been described with reference to one or more examples, workers skilled in the art will recognize that changes may be made in form and detail without departing from the scope of the disclosure and/or the appended claims.

Claims (17)

1. Method of secure display on a screen designed to display a first set of information edited by a first operating system, comprising:
a filtering step in which an element allocates, independently of the first operating system, a first zone of the screen to the first set of information and a second zone of the screen to a second set of information edited by a second operating system which is secure; and
a real display step in which the two sets of information are transferred to the screen under sole control of the second secured operating system so as to produce a secure display of the second set of information.
2. Display method according to claim 1, wherein the first operating system is open.
3. Display method according to claim 1, wherein the method comprises a virtual display step in which the first set of information is written in a virtual video memory under control of the first operating system and wherein content of the virtual video memory is accessible to the second operating system.
4. Display method according to claim 1, wherein the method comprises a virtual display step in which the first set of information is written in a real video memory under control of the first operating system so as to be able to combine first video signals that result therefrom with second video signals that result from the second set of information under the control of the second operating system.
5. Display method according to claim 1, wherein the second zone is situated on the screen at a first position easily identifiable by a user.
6. Display method according to claim 5, wherein said first position is alternately permuted with a second position previously covered by the first zone.
7. Display method according to claim 1, wherein the second zone is superimposed with or without transparency on the first zone at one or more positions in the screen.
8. Display method according to claim 7, wherein at least one of said positions is moving on the screen.
9. Device for secure display on a screen designed to display a first set of information edited by a first operating system, comprising a filter arranged to allocate independently of the first operating system a first zone of the screen to the first set of information and a second zone of the screen to a second set of information edited by a second operating system which is secure and for transferring the two sets of information to the screen under sole control of the second secured operating system so as to produce a secure display of the second set of information.
10. Display device according to claim 9, wherein the first operating system is open and the second operation system is secure.
11. Display device according to claim 9, wherein the filter comprises at an input thereof a virtual video memory arranged to receive the first set of information under control of the first operating system and at an output thereof a real video memory for combining the two sets of information.
12. Display device according to claim 9, wherein the filter is arranged to receive first video data generated by a standard processor and second video data generated by a secure processor, and for transferring into video memory a combination of the first and second video data.
13. Display device according to claim 9, wherein the filter is arranged to receive first video signals coming from a first video controller and second video signals coming from a second video controller, and to transfer onto the screen a combination of the first and second video signals.
14. Display device according to claim 9, wherein the filter is arranged to place the second zone on the screen at a first position easily identifiable by a user.
15. Display device according to claim 14, wherein the filter is arranged to permute said first position alternately with a second position previously covered by the first zone.
16. Display device according to claim 9, wherein the filter is arranged to superimpose the second zone on the first zone, with or without transparency, at one or more positions on the screen.
17. Display device according to claim 16, wherein the filter is arranged to make at least one of said positions move on the screen.
US12/059,412 2007-03-30 2008-03-31 Secure display method and device Active 2030-12-22 US8122496B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR0702333A FR2914457B1 (en) 2007-03-30 2007-03-30 SECURITY VISUALIZATION METHOD AND DEVICE
FR07/02333 2007-03-30
FR0702333 2007-03-30

Publications (2)

Publication Number Publication Date
US20080316357A1 true US20080316357A1 (en) 2008-12-25
US8122496B2 US8122496B2 (en) 2012-02-21

Family

ID=38895824

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/059,412 Active 2030-12-22 US8122496B2 (en) 2007-03-30 2008-03-31 Secure display method and device

Country Status (5)

Country Link
US (1) US8122496B2 (en)
EP (1) EP1975840B1 (en)
ES (1) ES2700839T3 (en)
FR (1) FR2914457B1 (en)
PL (1) PL1975840T3 (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110219239A1 (en) * 2010-03-04 2011-09-08 Comcast Cable Communications, Llc PC Secure Video Path
US20110264922A1 (en) * 2008-12-24 2011-10-27 The Commonwealth Of Australia Digital video guard
WO2012006076A1 (en) * 2010-06-28 2012-01-12 Dresser, Inc. Multimode retail system
US20130036467A1 (en) * 2010-02-19 2013-02-07 Wincor Nixdorf International Gmbh Method and process for pin entry in a consistent software stack in cash machines
WO2013056783A1 (en) * 2011-10-20 2013-04-25 Giesecke & Devrient Gmbh Mobile terminal, transaction terminal, and method for carrying out a transaction at a transaction terminal by means of a mobile terminal
US20130275306A1 (en) * 2012-04-13 2013-10-17 Sergey Ignatchenko Apparatuses, methods and systems for computer-based secure transactions
WO2013153441A1 (en) * 2012-04-13 2013-10-17 Ologn Technologies Ag Secure zone for digital communications
WO2014047331A1 (en) * 2012-09-20 2014-03-27 Qualcomm Connected Experiences, Inc. Content-driven screen polarization with application sessions
US20140281560A1 (en) * 2013-03-15 2014-09-18 Ologn Technologies Ag Secure zone on a virtual machine for digital communications
US20140282543A1 (en) * 2013-03-15 2014-09-18 Ologn Technologies Ag Secure zone on a virutal machine for digital communications
US20140327651A1 (en) * 2013-05-06 2014-11-06 Cirque Corporation Indicator of entering a secure pasword on a touch sensor
DE102013021935A1 (en) * 2013-12-20 2015-06-25 Giesecke & Devrient Gmbh Method and apparatus for using a security element with a mobile terminal
US20150379305A1 (en) * 2013-02-08 2015-12-31 Ingenico Group Digitised Handwritten Signature Authentication
US9432348B2 (en) 2012-04-20 2016-08-30 Ologn Technologies Ag Secure zone for secure purchases
US9489505B2 (en) 2011-04-21 2016-11-08 Trustonic Limited Method for displaying information on a display device of a terminal
US20170116029A1 (en) * 2014-04-30 2017-04-27 Hewlett-Packard Development Company, L.P. Multi architecture manager
US9875366B2 (en) 2011-10-07 2018-01-23 Trustonic Limited Microprocessor system with secured runtime environment
US9948640B2 (en) 2013-08-02 2018-04-17 Ologn Technologies Ag Secure server on a system with virtual machines
US10257131B2 (en) * 2015-06-26 2019-04-09 Blackberry Limited Private text chatting sessions
US20190311798A1 (en) * 2018-04-10 2019-10-10 Sutter Health Computing Devices with Improved User Interfaces for Applications
CN110688683A (en) * 2019-10-10 2020-01-14 武汉融卡智能信息科技有限公司 Trusted display architecture, system on chip and method based on hardware isolation technology
US10769312B2 (en) 2015-10-06 2020-09-08 Carnegie Mellon University Method and apparatus for trusted display on untrusted computing platforms to secure applications
EP3742373A1 (en) * 2019-05-23 2020-11-25 Worldline Secured payment on devices enabled to browse the web
US11176546B2 (en) 2013-03-15 2021-11-16 Ologn Technologies Ag Systems, methods and apparatuses for securely storing and providing payment information

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2955683B1 (en) * 2010-01-25 2012-08-17 Ingenico Sa PORTABLE ELECTRONIC PAYMENT TERMINAL SUITABLE FOR EXECUTING UNCERTIFIED PROGRAMS
US8482411B1 (en) * 2010-04-14 2013-07-09 Monty M. Brown Tamper indicating padlock assembly
US9158942B2 (en) 2013-02-11 2015-10-13 Intel Corporation Securing display output data against malicious software attacks
FR3003373B1 (en) 2013-03-14 2015-04-03 Compagnie Ind Et Financiere Dingenierie Ingenico METHOD AND DEVICE FOR VISUALIZATION SECURED ON A SCREEN OF AN ELECTRONIC TERMINAL, TERMINAL CORRESPONDING
WO2015156640A1 (en) * 2014-04-11 2015-10-15 Samsung Electronics Co., Ltd. Method and device for controlling security screen in electronic device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4899136A (en) * 1986-04-28 1990-02-06 Xerox Corporation Data processor having a user interface display with metaphoric objects
US5075884A (en) * 1987-12-23 1991-12-24 Loral Aerospace Corp. Multilevel secure workstation
US20040226041A1 (en) * 2000-02-18 2004-11-11 Xsides Corporation System and method for parallel data display of multiple executing environments

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4703417A (en) 1985-06-27 1987-10-27 Honeywell Information Systems Inc. Call instruction for ring crossing architecture
US8122361B2 (en) * 2003-10-23 2012-02-21 Microsoft Corporation Providing a graphical user interface in a system with a high-assurance execution environment
US8274518B2 (en) * 2004-12-30 2012-09-25 Microsoft Corporation Systems and methods for virtualizing graphics subsystems

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4899136A (en) * 1986-04-28 1990-02-06 Xerox Corporation Data processor having a user interface display with metaphoric objects
US5075884A (en) * 1987-12-23 1991-12-24 Loral Aerospace Corp. Multilevel secure workstation
US20040226041A1 (en) * 2000-02-18 2004-11-11 Xsides Corporation System and method for parallel data display of multiple executing environments

Cited By (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110264922A1 (en) * 2008-12-24 2011-10-27 The Commonwealth Of Australia Digital video guard
US8572403B2 (en) * 2008-12-24 2013-10-29 The Commonwealth Of Australia Digital video guard
US10062241B2 (en) * 2010-02-19 2018-08-28 Diebold Nixdorf, Incorporated Method and process for PIN entry in a consistent software stack in cash machines
US20130036467A1 (en) * 2010-02-19 2013-02-07 Wincor Nixdorf International Gmbh Method and process for pin entry in a consistent software stack in cash machines
US8424099B2 (en) * 2010-03-04 2013-04-16 Comcast Cable Communications, Llc PC secure video path
US8713685B2 (en) 2010-03-04 2014-04-29 Comcast Cable Communications, Llc PC secure video path
US20110219239A1 (en) * 2010-03-04 2011-09-08 Comcast Cable Communications, Llc PC Secure Video Path
US10055553B2 (en) 2010-03-04 2018-08-21 Comcast Cable Communications, Llc PC secure video path
US9332320B2 (en) 2010-03-04 2016-05-03 Comcast Cable Communications, Llc PC secure video path
WO2012006076A1 (en) * 2010-06-28 2012-01-12 Dresser, Inc. Multimode retail system
US10083564B2 (en) 2010-06-28 2018-09-25 Wayne Fueling Systems Llc Multimode retail system
US8788428B2 (en) 2010-06-28 2014-07-22 Dresser, Inc. Multimode retail system
US9911266B2 (en) 2010-06-28 2018-03-06 Wayne Fueling Systems Llc Multimode retail system
US11544988B2 (en) 2010-06-28 2023-01-03 Wayne Fueling Systems Llc Multimode retail system
US9489505B2 (en) 2011-04-21 2016-11-08 Trustonic Limited Method for displaying information on a display device of a terminal
US9875366B2 (en) 2011-10-07 2018-01-23 Trustonic Limited Microprocessor system with secured runtime environment
WO2013056783A1 (en) * 2011-10-20 2013-04-25 Giesecke & Devrient Gmbh Mobile terminal, transaction terminal, and method for carrying out a transaction at a transaction terminal by means of a mobile terminal
GB2510517A (en) * 2011-10-20 2014-08-06 Trustonic Ltd Mobile terminal, transaction terminal, and method for carrying out a transaction at a transaction terminal by means of a mobile terminal
US9742735B2 (en) 2012-04-13 2017-08-22 Ologn Technologies Ag Secure zone for digital communications
US10904222B2 (en) 2012-04-13 2021-01-26 Ologn Technologies Ag Secure zone for digital communications
US20190172046A1 (en) * 2012-04-13 2019-06-06 Ologn Technologies Ag Apparatuses, Methods and Systems for Computer-Based Secure Transactions
US10484338B2 (en) 2012-04-13 2019-11-19 Ologn Technologies Ag Secure zone for digital communications
US10108953B2 (en) * 2012-04-13 2018-10-23 Ologn Technologies Ag Apparatuses, methods and systems for computer-based secure transactions
WO2013153441A1 (en) * 2012-04-13 2013-10-17 Ologn Technologies Ag Secure zone for digital communications
EP3561714A1 (en) 2012-04-13 2019-10-30 OLogN Technologies AG Secure zone for digital communications
US20130275306A1 (en) * 2012-04-13 2013-10-17 Sergey Ignatchenko Apparatuses, methods and systems for computer-based secure transactions
WO2013153437A1 (en) * 2012-04-13 2013-10-17 Ologn Technologies Ag Apparatuses, methods and systems for computer-based secure transactions
US10027630B2 (en) 2012-04-13 2018-07-17 Ologn Technologies Ag Secure zone for digital communications
US9432348B2 (en) 2012-04-20 2016-08-30 Ologn Technologies Ag Secure zone for secure purchases
US11201869B2 (en) 2012-04-20 2021-12-14 Ologn Technologies Ag Secure zone for secure purchases
US10270776B2 (en) 2012-04-20 2019-04-23 Ologn Technologies Ag Secure zone for secure transactions
WO2014047331A1 (en) * 2012-09-20 2014-03-27 Qualcomm Connected Experiences, Inc. Content-driven screen polarization with application sessions
CN104662557A (en) * 2012-09-20 2015-05-27 高通互联体验公司 Content-driven screen polarization with application sessions
US9183398B2 (en) 2012-09-20 2015-11-10 Qualcomm Incorporated Content-driven screen polarization with application sessions
US20150379305A1 (en) * 2013-02-08 2015-12-31 Ingenico Group Digitised Handwritten Signature Authentication
US20140281560A1 (en) * 2013-03-15 2014-09-18 Ologn Technologies Ag Secure zone on a virtual machine for digital communications
US20140282543A1 (en) * 2013-03-15 2014-09-18 Ologn Technologies Ag Secure zone on a virutal machine for digital communications
US11176546B2 (en) 2013-03-15 2021-11-16 Ologn Technologies Ag Systems, methods and apparatuses for securely storing and providing payment information
US11763301B2 (en) 2013-03-15 2023-09-19 Ologn Technologies Ag Systems, methods and apparatuses for securely storing and providing payment information
US20140327651A1 (en) * 2013-05-06 2014-11-06 Cirque Corporation Indicator of entering a secure pasword on a touch sensor
WO2014182719A1 (en) * 2013-05-06 2014-11-13 Cirque Corporation Touch sensor secure password indicator
CN105210021A (en) * 2013-05-06 2015-12-30 瑟克公司 Touch sensor secure password indicator
US9948640B2 (en) 2013-08-02 2018-04-17 Ologn Technologies Ag Secure server on a system with virtual machines
DE102013021935A1 (en) * 2013-12-20 2015-06-25 Giesecke & Devrient Gmbh Method and apparatus for using a security element with a mobile terminal
US10860366B2 (en) * 2014-04-30 2020-12-08 Hewlett-Packard Development Company, L.P. Multi architecture manager
US20170116029A1 (en) * 2014-04-30 2017-04-27 Hewlett-Packard Development Company, L.P. Multi architecture manager
US10257131B2 (en) * 2015-06-26 2019-04-09 Blackberry Limited Private text chatting sessions
US10769312B2 (en) 2015-10-06 2020-09-08 Carnegie Mellon University Method and apparatus for trusted display on untrusted computing platforms to secure applications
US11200350B2 (en) 2015-10-06 2021-12-14 Carnegie Mellon University Method and apparatus for trusted display on untrusted computing platforms to secure applications
US20190311798A1 (en) * 2018-04-10 2019-10-10 Sutter Health Computing Devices with Improved User Interfaces for Applications
EP3742373A1 (en) * 2019-05-23 2020-11-25 Worldline Secured payment on devices enabled to browse the web
CN110688683A (en) * 2019-10-10 2020-01-14 武汉融卡智能信息科技有限公司 Trusted display architecture, system on chip and method based on hardware isolation technology

Also Published As

Publication number Publication date
PL1975840T3 (en) 2019-02-28
ES2700839T3 (en) 2019-02-19
EP1975840A2 (en) 2008-10-01
US8122496B2 (en) 2012-02-21
FR2914457A1 (en) 2008-10-03
EP1975840B1 (en) 2018-09-05
EP1975840A3 (en) 2009-04-22
FR2914457B1 (en) 2009-09-04

Similar Documents

Publication Publication Date Title
US8122496B2 (en) Secure display method and device
KR101076903B1 (en) Providing a graphical user interface in a system with a high-assurance execution environment
US11093067B2 (en) User authentication
US8938780B2 (en) Display authentication
US9563778B2 (en) Method for managing public and private data input at a device
US8996883B2 (en) Securing inputs from malware
KR20150060674A (en) Authentication method and system
CN105164694A (en) Trusted terminal platform
Li et al. Vbutton: Practical attestation of user-driven operations in mobile apps
GB2421610A (en) Data processing device with a second processor for security-related data
JP2018534706A (en) Multi-user strong authentication token
Dhar et al. ProtectIOn: Root-of-trust for IO in compromised platforms
Fernandes et al. Tivos: Trusted visual i/o paths for android
US20180203809A1 (en) Intermediate module for controlling communication between a data processing device and a peripheral device
KR20040054493A (en) Secure mode indicator for smart phone or pda
Ha et al. Kernel code integrity protection at the physical address level on RISC-V
Zheng et al. TZ-KPM: Kernel protection mechanism on embedded devices on hardware-assisted isolated environment
Bove SoK: The Evolution of Trusted UI on Mobile
ES2916083T3 (en) Managing a display of a view of an application on a screen of an electronic data entry device, method, device and corresponding computer program product
US20130276101A1 (en) Method of, and a system for enabling a secure password entry using a non-secure device
Weiser Enclave Security and Address-based Side Channels
US10839097B2 (en) Securing a confirmation of a sequence of characters, corresponding method, device and computer program product
Ahsan HARDWARE ASSITED SECURITY PLATFORM

Legal Events

Date Code Title Description
AS Assignment

Owner name: COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ACHARI, KARIM;LOHEAC, ROHAN;REEL/FRAME:021128/0212;SIGNING DATES FROM 20080609 TO 20080611

Owner name: COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ACHARI, KARIM;LOHEAC, ROHAN;SIGNING DATES FROM 20080609 TO 20080611;REEL/FRAME:021128/0212

AS Assignment

Owner name: COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE TYPOS IN THE SECOND INVENTOR'S NAME AND ADDRESS OF ASSIGNEE PREVIOUSLY RECORDED ON REEL 021128 FRAME 0212. ASSIGNOR(S) HEREBY CONFIRMS THE SECOND LISTED INVENTOR'S NAME, AND THE ADDRESS OF THE ASSIGNEE BOTH INCULDE TYPOS TO BE FIXED/UPDATED.;ASSIGNORS:ACHARI, KARIM;LOHEAC, RONAN;SIGNING DATES FROM 20080609 TO 20080611;REEL/FRAME:027519/0700

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: INGENICO GROUP, FRANCE

Free format text: CHANGE OF NAME;ASSIGNOR:COMPAGNIE INDUSTRIELLE ET FINANCIERE D'INGENIERIE "INGENICO";REEL/FRAME:058823/0703

Effective date: 20150506

AS Assignment

Owner name: BANKS AND ACQUIRERS INTERNATIONAL HOLDING, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INGENICO GROUP;REEL/FRAME:058173/0055

Effective date: 20200101

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12